Taiwan Government Targeted by Multiple Cyberattacks in April 2020 - Part 1

In April 2020, highly malicious cyber activity was detected in several Taiwan government agencies. In one environment alone, out of the thousands of endpoints scanned, 30 endpoints were confirmed to be infected, and 10 high-risk endpoints were connected by these compromised endpoints. 10 key malware were discovered during these sophisticated targeted attacks — most of them were Waterbear Loader malware.

This article is Part 1 of a series of articles. Click here to read Part 2: Owlproxy Malware.

CyCraft AIR assigns Threat Level 10 to the most severe and most damaging malware.

Highlighted Tactics

The attackers discovered and leveraged a weak point in trusted and commonly used data loss prevention (DLP) software in order to trigger malware and maintain persistence. The government agencies targeted for attack in April 2020 had already been compromised prior to the April attacks; however, CyCraft AIR (our automated detection and response platform) discovered that not all the malware from the previous attack was removed during another vendor’s IR investigation, allowing the attackers to use the previously compromised endpoints yet again.

The discovered Waterbear Loader malware used several methods to evade defense. (Each method will be expanded upon later in the article.)

  • DLL hijacking to stealthily trigger next stage malware
  • Enlarging binary size to bypass scanning protocols
  • Heaven’s Gate to avoid antivirus detection
  • Forcing DLLs to unload to obfuscate malware
  • Padding memory with Kernel32 content to confuse analyses

Network Level Activity

The attackers first compromised a user’s endpoint to harvest administrative credentials. The credentials were then utilized to RDP a web server. With the connectivity of the web server, the attackers “net use” through (proxying) the webserver, allowing them to distribute malware directly to other endpoints.

As mentioned before, several malware was not removed from a previous IR investigation. One endpoint in the victim’s private network was still compromised. The attackers used this previously compromised endpoint in the victim’s private network as the C2 server for this attack.

System Level Activity
DLL Hijacking

One key feature of this attack was DLL Hijacking.

What is DLL Hijacking?

A DLL hijacking attack exploits the Windows search and load mechanism, allowing attackers to inject code into applications through disk manipulation. By simply injecting a DLL file in the right location, attackers can cause vulnerable applications to load malicious DLLs.

The attackers leveraged a DLL hijacking vulnerability in the DLP software to enlarge its defensive evasion capability and to persistently trigger next-stage malware. However, the DLP software failed to verify the integrity of their loaded DLLs. Thus the DLP software loaded the malicious DLL with high privilege.

DLL Hijacking Flowchart

The attacker modified LOG4C.DLL to implant a new entry in the import table. The new entry will enforce the DLP software to load the malicious SecureFile.dll (or LIBDIG.dll). The loaded DLL then injects shellcode to system services, including Winmgmt, sens, Wuauserv and LanmanServer. Then, the next-stage malware payload is invoked to communicate to the C2 server.

Next-Stage Malware

C[:]\PROGRAM FILES\XYZ\AGENT\ExportAgentConfig[.]dat
C[:]\Windows\PolicyDefinitions\TrayBar.admx

Malicious machinations are lurking within LOG4C.DLL

SECUFILE.DLL is up to no good. CyCraft AIR detected the malware within the DLL.
Increased Size

File-based scanners sometimes skip the scanning of larger files to maintain performance. The attackers enlarged the file size to bypass scanning altogether. The original size of file oci[.]dll is 66.5 KB however, as the above screenshot of CyberTotal demonstrates, oci[.]dll had been enlarged to 130 MB. Thus allowing it to be ignored by numerous security scanning tools.

Size Matters
Windows IKEEXT Service Abuse

The threat actor made use of Windows IKEEXT Service to load even more malware into memory — WLBSCTRL.DLL. Windows IKEEXT Service is a service for APN authentication that is disabled in the default Windows setting. This service is widely abused by attackers we observe.

WLBSCTRL.DLL

Waterbear Loader Malware Analysis
File Metadata
filename: libgid.dll
md5: e3be074e0da9ba0c3201ceea4dd972d6
sha1: cd8f49e467cf2f630c7f3b38a2e4c30e7bac6466
sha256: e69690e4f94a60678aefc3adb80eef484bb5ca4285a2d3aabc1bb8d975fb7610
filetype: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
family: Waterbear Loader

Indicator
file_path: C[:]\Windows\PolicyDefinitions\TrayBar.admx

RICH Header

The Waterbear Loader malware resurrected a 10-year-old antivirus evasion technique known as Heaven’s Gate. In this particular case, the attackers applied Heaven’s Gate to inject shellcode into the 64-bit system service from 32-bit WoW64.

Just as 64-bit and 32-bit programs are quite different, so are analysis mechanisms. Malware equipped with Heaven’s Gate contains both 64-bit and 32-bit parts. Therefore, some monitor/analysis systems will only apply 32-bit analysis and will fail the 64-bit part; thus, this approach will break some monitor/analysis mechanisms.

Waterbear Loader forced itself to be unloaded, allowing it to evade detection from some memory forensic tools.

What is Heaven’s Gate?
This antivirus evasion technique permits 32-bit malware to hide API calls by switching to a 64-bit environment. Malware typically remains hidden inside the loader making it difficult for the AV to detect.

While Heaven’s Gate was first considered to be an advanced technique, over the last decade the Heaven’s Gate exploit has been observed in more and more rootkits as well as other malware, such as the infamous Emotet trojan.

Even though usage of the Heaven’s Gate spread, Microsoft’s release of Control Flow Guard (CFG) in Windows 10 immediately hindered the exploit’s effectiveness as CFG prevented code jumps from WoW64 32-bit execution to native 64-bit code execution space. However, like most exploits, attackers still equip them when targeting legacy systems and the like — further demonstrating the need for organizations to update defenses early and update them often.

Behavior

  1. Waterbear Loader first checks whether the current execution context is WoW64, and looks for Winmgmt, sens, Wuauserv, LanmanServer to inject the shellcode.
  2. Then, Waterbear Loader uses xor to decrypt strings in file with key 0x2a361c78
  3. Waterbear Loader reads the encrypted payload. In this case: C:\Windows\PolicyDefinitions\TrayBar.admx
  4. Then uses RC4 to decrypt it with key: 690c402f435878175d454028455a751b5372791e4358750c4359720b76626e1953
    747d0a0457781552361c78
  5. In an attempt to further confuse analysis, Waterbear Loader padded contents from Kernel32.dll in front of and behind their shellcode.
  6. Used x64_InjectShellcode to inject shellcode to the previously found service by Heaven’s Gate.
  7. In the end, the LdrData data is modified and forced to free the library by FreeLibraryAndExitThread.

MITRE ATT&CK®

The following MITRE ATT&CK techniques were observed in this attack.

Persistence

T1547.001 Registry Run Keys/ Startup Folder
T1574.001 DLL Search Order Hijacking

Privilege Escalation

T1574.001 DLL Search Order Hijacking

Defense Evasion

T1574.001 DLL Search Order Hijacking
T1027.002 Software Packing
T1070.006 Timestop

Lateral Movement

T1021.001 Remote Desktop Protocol

IOCs

IOCS                                 NAME

30DDEFC3093AFD7075A74BE30A381A3D     SQLWVSS.DLL

C6EE3CEED5ADA7EE23FEB0E0CEA95193     IGTERM.DLL

8B4631B618D2B516A3D3EBC38B25D267     OCI.DLL

2FAAFC5D2C4BC6DE4D0B73B34FB7B379     SECUFILE.DLL

E3BE074E0DA9BA0C3201CEEA4DD972D6     LIBGID.DLL

F44805399017DAECF9E37F7190BCF699     WLBSCTRL.DLL

F10034D1D8F90F36FEA602A4128BAEBC     SQLWVSS_NT.DLL

49D6C7FD1D47F345F64EEA6DA8591084     LOG4C.DLL

AE63EBAE30678DA8A7314A9427747BBE     LIBGID.DLL

48AA2A38E5125C4E0E4A069C473F67FC     LOG4C.DLL

Mitigation

1. Add listed IOCs to preventative solution blacklists.

2. Adjust detection and response solutions to detect listed IOCs.

3. Meticulously tracking down the root cause of the attack (not just the endpoint) and thoroughly removing malware is not only paramount in an IR investigation but could also prevent future attacks.

4. As DLP software is widely deployed in sensitive organizations, is daily-used software, and often has high privilege, DLP vendors and customers both need to constantly be striving on hardening security to maintain resilience even in the worst of situations.

5. Do not rely on a one-solution security policy. Preventative solutions (e.g., firewalls, antivirus) and DLP solutions are no longer enough to maintain resilience during an attack of this sophistication. AI-driven detection and response solutions, such as our award-winning CyCraft AIR, not only reduce mean dwell time but also increase SOC efficiency, automate investigations, and reduce alert fatigue.

This article is Part 1 of a series of articles. Click here to read Part 2: Owlproxy Malware.

Writer: CyCraft

CyCraftについて

CyCraft(サイクラフト)は、AIによる自動化技術を専門とするサイバーセキュリティ企業。2017年に設立され、台湾に本社、日本とシンガポールに海外拠点を持つ。アジア太平洋地域の政府機関、警察・防衛機関、銀行、ハイテク製造業にサービスを提供している。CyCraft の AI技術 と機械学習技術によるソリューションが評価され、CID グループ とテマセク・ホールディングス旗下のパビリオンキャピタルから強力なサポートを獲得し、また、国際的トップ研究機構である Gartner、 IDC、Frost & Sullivan などから複数の項目において評価を受けている他、国内外の著名な賞をいくつも受賞している。また、国内外を含む複数のセキュリティコミュニティ、カンファレンスに参画し、長年にわたりセキュリティ業界の発展に尽力している。

CyCraft ニュースレター購読

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
[申し込み]をクリックすることで、CyCraftのプライバシーポリシーにしたがって個人情報が使用されることに同意したこととなります。購読の解除はいつでも可能です。